2016-07-14 - NEUTRINO EK FROM 185.141.25[.]57 SENDS BANDARCHOR RANSOMWARE
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- 2016-07-14-Neutrino-EK-sends-Bandarchor-ransomware.pcap.zip 245.9 kB (245,912 bytes)
- 2016-07-14-Neutrino-EK-sends-Bandarchor-ransomware.pcap (262,607 bytes)
- 2016-07-14-Neutrino-EK-and-Bandarchor-ransomware-filess.zip 190.8 kB (190,815 bytes)
- 2016-07-14-Bandarchor-ransomware-decryption-instructions.txt (1,156 bytes)
- 2016-07-14-Neutrino-EK-flash-exploit.swf (92,022 bytes)
- 2016-07-14-Neutrino-EK-landing-page.txt (2,209 bytes)
- 2016-07-14-Neutrino-EK-payload-Bandarchor-ransomware.exe (147,458 bytes)
NOTES:
Shown above: My tipper for this traffic at malwaredomainlist.
TRAFFIC
Shown above: Traffic from the pcap filtered in Wireshark.
ASSOCIATED DOMAINS:
- 93.190.140[.]110 port 80 - personal.editura-amsibiu[.]ro - Redirect/gate pointing to Neutrino EK
- 185.141.25[.]57 port 80 - yqhf8.wuwfti[.]top - Neutrino EK
- 192.169.82[.]86 port 80 - withloveforyou[.]com - Post-infection traffic
DOMAINS FROM THE DECRYPT INSTRUCTIONS:
- Primary email: sos@juicylemon[.]biz
- Secondary email: juicylemon@protonmail[.]com
- Bitmessage: BM-NBRCUPTenKgYbLVCAfeVUHVsHFK6Ue2F
FILE HASHES
FLASH EXPLOIT:
- SHA256 hash: 93864387ee4a5796ea950c3fa5e826ecfb5d5a1c4146563d7366069b261ebe18
File name: 2016-07-14-Neutrino-EK-flash-exploit.swf
PAYLOAD:
- SHA256 hash: 4c0855466cc65cfc273f8cd953c9bf328656732879a0ce387cbdf9c78b9827a1
File name: 2016-07-14-Neutrino-EK-payload-Bandarchor-ransomware.exe
IMAGES
Shown above: An example of the encrypted files (10-digit numbers changed in this picture).
Shown above: The decryption instructions.
Shown above: The payload EXE's icon looks like a pig from Angry Birds.
Click here to return to the main page.